1

Information system control and audit

Ch1

Definition of System: The term system may be defined as a set of interrelated

elements that operate collectively to accomplish some common purpose or goal

System Environment: the system, is a collection of elements. These elements

surround the system and often interact with it.

Open system and Closed system

Open System– A system that interacts freely with its environment by taking input and returning output is termed as an open system.

Closed system– A system that does not interact with the environment nor changes

with the change in environment is termed as a closed system

Decomposition :A complex system is difficult to comprehend when considered as a

whole.

Defferent between:

Manual system – where data collection, manipulation, maintenance and final

reporting are carried out absolutely by human efforts.

Automated systems – where computers or microprocessors are used to carry out all

the tasks mentioned above.

Deterministic and Probabilistic system:

A deterministic system operates in a predictable manner. The interaction among the

parts is known with certainty.

The probabilistic system can be described in terms of probable behaviour, but a

certain degree of error is always attached to the prediction of what the system will

do.

2

INFORMATION: Information is data that have been put into a meaningful and useful

context.

Attributes of Information: The important attributes of useful and effective

information are as follows :

1. Availability

2. Purpose 3. Mode and format 4. Decay 5. Rate 6. Frequency 7. Completeness 8. Reliability 9. Cost benefit analysis 10. Validity

Factors on which Information requirements Depend:

The factors on which information requirements of executives depend are:

1. Operational function.

2. Type of decision making.

3. Level of management activity.

Different between

*Programmed decisions: Programmed decisions or structured decisions refer to

decisions made on problems and situations by reference to a predetermined set of

precedents, procedures, techniques and rules.

*Non-programmed decisions or unstructured decisions are those which are made

on situations and problems which are novel and non-repetitive and about which not

much knowledge and information are available.

3

Different between

Internal information: The internal information can be defined as information that

has been generated from the operations of the organization at various functional

areas.

The internal information gets processed and summarized from junior to top most

level of management

External information: The external information is collected from the external

environment of the business organization.

Types of Information at different level of management with diagram

• Transaction Processing System (TPS):TPS at the lowest level of management

is an information system that manipulates data from business transactions.

• Management Information System (MIS): An integrated user-machine system

designed for providing information to support operational control,

management control and decision making functions in an organization’.

Characteristics of an effective MIS:

1. Management oriented

2. Management directed 3. Integrated 4. Common data flows 5. Heavy planning element 6. Sub system concept

4

Ch2

WHAT IS SYSTEMS DEVELOPMENT PROCESS?

Computer information systems serve many different purposes, ranging from the

processing of business transactions-the life blood of many organizations to providing

information needed to decide recurring issues, assisting senior officials with difficult

strategy formulation, and linking office information and corporate data

The systems development life cycle method consists of the following activities:

(i) Preliminary investigation

(ii) Requirements analysis or systems analysis

(iii) Design of system

(iv) Development of software

(v) Systems testing

(vi) Implementation and maintenance

Achieving systems development objectives: There are many reasons why

organizations fail to achieve their systems development objectives. Although we

cannot catalog all the reasons, we can summarize a few representative samples

here:

Shifting user needs.

Development of strategic systems

Lack of standard project management and systems development

methodologies

Overworked or under-trained development staff.

Resistance to change

SYSTEMS DEVELOPMENT METHODOLOGY

A systems development methodology [also known as systems development life cycle

(SDLC) methodology] is a formalized, standardized, documented set of activities used

to manage a systems development project.

Testing project's feasibility :

After possible solution options are identified , project feasibility-the likelihood that these systems will be useful for the organization Feasibility study: is carried out by the system analysts for this purpose.

5

Technical feasibility: It is concerned with hardware and software. Essentially, the analyst ascertains whether the proposed system is feasible with existing or expected computer hardware and software technology.

Economic feasibility : It includes an evaluation of all the incremental costs and benefits expected if the proposed system is implemented. This is the most difficult aspect of the study. Operational feasibility : It is concerned with ascertaining the views of workers, employees, customers and suppliers about the use of computer facility. Schedule Feasibility : Schedule feasibility involves the design team’s estimating how long it will take a new or revised system to become operational and communicating this information to the steering committee. Legal Feasibility: Legal feasibility is largely concerned with whether there will be any conflict between a newly proposed system and the organization's legal obligations Requirements Analysis: The focus is on determining user needs, studying the application area in depth, assessing the strengths and weaknesses of the present system and reporting results to management. Various fact-finding techniques, which are used by the system analyst for determining these needs/ requirements, are briefly discussed below : 1. Documents : 2. Questionnaires. 3. Interviews: 4. Observation. . Analysis of the Present System: Detailed investigation of the present system involves collecting, organizing and evaluating facts about the system and the environment in which it operates. The following areas should be studied in depth: 1. Review historical aspects 2. Analyze inputs 3. Review data files maintained 4. Review methods, procedures and data communications 5. Analyze outputs 6. Review internal controls 7. Model the existing physical system and logical system: SYSTEM DEVELOPMENT TOOLS 1. System components and flows 2. User interface 3. Data attributes and relationships 4. Detailed system process

6

SOFTWARE DEVELOPMENT (i) Program analysis: In this stage, the programmer ascertains for a particular application , the outputs required , the inputs available and the processing ,The programmer then determines whether the proposed application can be or should be programmed at all. (ii) Program design : In this stage, the programmer develops the general organisation of the program as it relates to the main functions to be performed. iii) Program Coding: The logic of the program outlined in the flowcharts is converted into program statements or instructions at this stage. (iv) Debug the program : The process of debugging a program refers to correcting programming language syntax and diagnostic errors so that the program “compiles cleanly”.

(v) Program documentation: The writing of narrative procedures and instructions for people who will use software is done throughout the program life cycle. vi) Program maintenance : The requirements of business data processing applications are subject to continual change. ALTERNATE DEVELOPMENT METHODOLOGY Various alternative approaches are discussed below: (i) Prototyping approaches: The traditional approach sometimes may take years to analysis, design and implement a system. Advantages of Prototyping 1. Prototyping requires intensive involvement by the system users. 2. A very short time period (e.g., a week) is normally required to develop and start experimenting with a prototype. . 3. Since system users experiment with each version of the prototype through an interactive process, errors are hopefully detected and eliminated early in the developmental process.

7

Disadvantages of Prototyping 1. Prototyping can only be successful if the system users are willing to devote significant time in experimenting with the prototype and provide the system developers with change suggestions. 2. The interactive process of prototyping causes the prototype to be experimented with quite extensively. 3. Prototyping may cause behavioral problems with system users. There are many advantages to end-user computing, but there are also a number of risks involved. These risks include the following: 1. A decline in standards and controls. When an analyst is in-charge of developments, walkthrough will be done and standards 2. Inaccuracy of specification requirements. 3. Due to the lack of adequate specifications, there would be a reduction in the quality assurance and stability of the system. 4. An increase in unrelated and incompatible systems. 5. Difficulties in accessing could arise for users trying to access a central system, such as the corporate database, with a proliferation of different systems and applications.

8

CHAPTER 3

EFFECT OF COMPUTERS ON INTERNAL AUDIT: Each of these effects are discussed in

these notes.

Changes in the audit trail and audit evidence:

(a) Data retention and storage

(b) Absence of input documents

(c) Lack of a visible audit trail

(d) Lack of visible output

(e) Audit evidence.

(f) Legal issues

* Change in the type and nature of internal controls: *

* Personnel

* Segregation of duties

* Authorization procedures

* Record keeping

* Access to assets and records

* Management supervision and review

New causes and sources of error:

(a) System generated transactions :The main reason clients are starting to use these

types of system is because they can increase processing efficiency ( for example, if a

computer system can generate transactions automatically there will be no need to

employ someone to do it manually, and hence lower staff costs).

(b) Systematic Error :if the computer is doing the wrong thing and processing a type

of transaction incorrectly, it will continue to handle the same type of transactions

incorrectly every time.

New audit processes : Within a computerized environment the auditor may be

required to adopt a different audit approach to gain sufficient audit evidence to

provide an opinion on the financial statements.

9

RESPONSIBILITY OF CONTROLS: The information system managers must take

systematic and proactive measures to

(i) Develop and implement appropriate, cost-effective internal control for results-

oriented management;

(ii) Assess the adequacy of internal control in programs and operations;

(iii) Separately assess and document internal control over information systems

consistent with the information security policy of the organization

(iv) Identify needed improvements;

(v) Take corresponding corrective action; and

(vi) Report annually on internal control through management assurance statements.

CONTROL OBJECTIVES FOR INFORMATION RELATED TECHNOLOGY (COBIT)

The framework allows:

(1) Management to benchmark the security and control practices of IT

environments,

(2) Users of IT services to be assured that adequate security and control exist, and

(3) Auditors to substantiate their opinions on internal control and to advise on IT

security and control matters.

The framework addresses the issue of control from three vantage points, or

dimensions:

1. Business Objectives. The criteria are divided into seven distinct yet overlapping

categories that map into the COSO objectives: effectiveness (relevant, pertinent, and

timely), efficiency, confidentiality, integrity, availability, compliance with legal

requirements, and reliability.

2. IT resources, while include people, application systems, technology, facilities, and

data.

3. IT processes, which are broken into four domains: planning and organization,

acquisition and implementation, delivery and support, and monitoring.

10

INFORMATION SYSTEMS CONTROL TECHNIQUES

The information system auditor will be most familiar with:

* Accounting controls, i.e. those controls which are intended to safeguard the

client’s assets and ensure the reliability of the financial records;

The other two types of control likely to be encountered are :

* Operational controls: These deal with the day to day operations , functions

and activities to ensure that the operational activities are contributing to

business objectives.

* Administrative controls : These are concerned with ensuring efficiency and

compliance with management policies, including the operational controls.

Auditor’s categorization of controls

We categories the controls into following four groups:

(i) Preventive Controls : Preventive controls are those inputs, which are designed to

prevent an error, omission or malicious act occurring.

(ii) Detective Control : These controls are designed to detect errors, omissions or

malicious acts that occur and report the occurrence.

(iii) Corrective Controls : Corrective controls are designed to reduce the impact or

correct an error once it has been detected. A business continuity plan is considered

to be a significant corrective control.

(iv) Compensatory Controls : Controls are basically designed to reduce the

probability of threats, which can exploit the vulnerabilities of an asset and cause a

loss to that asset.

Audit Trails : Audit trails are logs that can be designed to record activity at the

system, application, and user level.

Audit Trail Objectives : Audit trails can be used to support security objectives in

three ways:

Detecting unauthorized access to the system,

Facilitating the reconstruction of events, and

Promoting personal accountability.

11

SYSTEM DEVELOPMENT AND ACQUISITION CONTROLS

System development and acquisition control include the following key elements:

1. Strategic master plan. There is a need for a strategic master plan.

2. Project controls. A project development plan shows how a project will be

completed, including the modules or tasks to be performed.

3. Data processing schedule. To maximize the use of scarce computer resources, all

data processing tasks should be organized according to a data processing schedule.

4. System performance measurements. For a system to be evaluated properly, it

must be assessed using system performance measurements.

5. Post-implementation review. After a development project is completed a post

implementation review should be performed to determine if the anticipated benefits

were achieved.

CONTROL OVER SYSTEM AND PROGRAM CHANGES

Change Management Controls: These controls should include the following:

• Periodically review all systems for needed changes.

• Require all requests to be submitted in a standardized format.

• Log and review requests from authorized users for changes and additions to

systems.

• Categorize and rank all changes using established priorities.

• Communication all changes to management

Documentation controls. Assessing documentation involves evaluating OJP's (Office

of Justice Programs)

12

Classification of Information:

Top Secret: Highly sensitive internal information relating to e.g. pending mergers

or acquisitions; investment strategies; plans or designs.

Highly Confidential: Information that, if made public or even shared around the

organization, could seriously impede the organization's operations and is

considered critical to its ongoing operations.

Proprietary: Information of a proprietary nature; procedures, operational work

routines, project plans, designs and specifications that define the way in which

Internal Use only: Information not approved for general circulation outside the

organization where its loss would inconvenience the organization or

management but where disclosure is unlikely to result in financial loss or serious

damage to credibility's the organization operates.

Public Documents: Information in the public domain; annual reports, press

statements etc.; which has been approved for public use. Security at this level is

minimal.

Data Integrity: Data integrity controls protect data from accidental or malicious

alteration or destruction and provide assurance to the user that the information

meets expectations about its quality and integrity.

Logical Access Issues and Exposures: Controls that reduce the risk of

misuse(intentional or unintentional), theft, alteration or destruction should be used

to protect unauthorized and unnecessary access to computer files.

Access control mechanisms should provide security to the following applications:

• Libraries

• Password library

• Procedure libraries

• System software

PHYSICAL ACCESS CONTROLS: The following issues are discussed:

• Physical Access Issues and Exposures

• Physical Access Controls

• Audit and evaluation techniques for physical access.

Physical Access Issues and Exposures : The following points elucidate the results due

to accidental or intentional violation of the access paths:

• Blackmail

• Embezzlement

• Unauthenticated entry

13

Access control Mechanisms : The mechanism processes the users request for

resources in three steps.

• Identification

• Authentication

• Authorization

Authorization: There are two approaches to implementing the authorization module

in an access control mechanism:

(a) a “ticket oriented approach”

(b) a “list oriented approach”

In a ticket-oriented approach to authorization, the access control mechanism assigns

users a ticket for each resource they are permitted to access.

In a list-oriented approach, the mechanism associates with each resource a list of

users who can access the resource and the action privileges that each user has with

respect to the resource

SECURITY CONCEPTS AND TECHNIQUES:

Cryptosystems: A cryptosystem refers to a suite of algorithms needed to implement

a particular form of encryption and decryption.

A cryptosystem consists of three algorithms: one for key generation, one for

encryption, and one for decryption.

Encrypting data converts it to an unintelligible form called cipher.

Decrypting cipher converts the data back to its original form called plaintext.

Public key is made available to those who need to verify the user’s identity.

Private Key is stored on the user’s computer or a separate device such as a smart

card.

The certificate authority (CA), which may be the financial institution or its service

provider, plays a key role by attesting with a digital certificate that a particular public

key and the corresponding private key belongs to a specific user or system.

14

Firewalls: A firewall is a collection of components (computers, routers, and software)

that mediate access between different security domains.

All traffic between the security domains must pass through the firewall, regardless of

the direction of the flow.

They are four primary firewall types from which to choose: packet filtering, stateful

inspection ,proxy servers, and application-level firewalls.

15

Ch4

Testing: is a process used to identify the correctness, completeness and quality of

developed computer software.

SOFTWARE TESTING FUNDAMENTALS:

Testing objectives: (It includes)

• Testing is a process of executing a program with the intent of finding an error.

• A good test case is one that has a high probability of finding a yet undiscovered

error.

• A successful test is one that uncovers a yet undiscovered error.

Causes of Bugs:

1. Specifications

2. Design

3. Coding Errors.

Test Strategy:

A test strategy is the plan to cover the product in such a way so as to develop an

adequate assessment of quality. A good test strategy is:

• Specific

• Practical

• Justified

Test Plan: The test strategy identifies multiple test levels, which are going to be

performed for the project.

Test Plans may be of different types e.g.

• Unit test Plan

• Integration test Plan

• System test Plan

• Acceptance Test Plan

16

SOFTWARE TESTING:

Static testing: During static testing, you have a checklist to check whether the work

you are doing is going as per the set standards of the organization.

Dynamic Testing: Dynamic Testing involves working with the software, giving input

values and checking if the output is as expected. These are the Validation activities.

BLACK BOX TESTING: This type of testing attempts to find errors in the following

categories:

1. Incorrect or missing functions,

2. Interface errors,

3. Errors in data structures or external database access,

4. Performance errors, and

5. Initialization and termination errors.

WHITE BOX TESTING: Test cases can be derived that

• Guarantee that all independent paths within a module have been exercised at least

once,

• Exercise all logical decisions on their true and false sides,

• Execute all loops at their boundaries and within their operational bounds, and

• Exercise internal data structures to ensure their validity.

VOLUME TESTING: The creation of a volume test environment requires considerable

effort. The purpose of volume testing is to find weaknesses in the system with

respect to its handling of large amount of data during extended time periods.

PERFORMANCE TESTING

System performance is generally assessed in terms of response time and throughput

rates under differing processing and configuration conditions.

17

Types of audit tools

Different types of continuous audit techniques may be used.

(I)Snapshots: Tracing a transaction is a computerized system can be performed with

the help of snapshots or extended records. The snapshot software is built into the

system at those points where material processing occurs.

(II) Integrated Test Facility (ITF): The ITF technique involves the creation of a dummy

entity in the application system files and the processing of audit test data against the

entity as a means of verifying processing authenticity, accuracy, and completeness.

(III) System Control Audit Review File (SCARF): The system control audit review file

(SCARF) technique involves embedding audit software modules within a host

application system to provide continuous monitoring of the system’s transactions.

(IV) Continuous and Intermittent Simulation (CIS): This is a variation of the SCARF

continuous audit technique. This technique can be used to trap exceptions whenever

the application system uses a database management system

18

Ch5 RISK, THREAT, EXPOSURE, AND VULNERABILITY Risk: A risk is the likelihood that an organization would face a vulnerability being exploited or a threat becoming harmful. Information systems can generate many direct and indirect risks. The gap is caused by: (a) Widespread use of technology. (b) Interconnectivity of systems. (c) Elimination of distance, time and space as constraints. (d) Unevenness of technological changes. (e) Devolution of management and control. A threat is an action, event or condition where there is a compromise in the system, its quality and ability to inflict harm to the organization. Vulnerability is the weakness in the system safeguards that exposes the system to threats. An exposure is the extent of loss the organization has to face when a risk materializes. Likelihood of the threat occurring is the estimation of the probability that the threat will succeed in achieving an undesirable event. Attack is a set of actions designed to compromise confidentiality, integrity, availability or any other desired feature of an information system.

What is Residual Risk? An organization's management of risk should consider these two areas: acceptance of residual risk and selection of safeguards.

19

THREATS TO THE COMPUTERISED ENVIRONMENTمهم

Any computerized environment is dependent on people. They are a critical links in making the entire enterprise computing happen Few common threats to the computerized environment can be: (a) Power Loss: Power failure can cause disruption of entire computing equipment's since computing equipment's depends on power supply. (b) Communication failure: Failure of communication lines result in inability to transfer data which primarily travel over communication lines. (c) Disgruntled Employees: A disgruntled employee presents a threat since, with access to sensitive information of the organization (d) Errors: Errors which may result from technical reasons, negligence or otherwise can cause significant integrity issues (e) Malicious Code: Malicious code such as viruses and worms which freely access the unprotected networks may affect organizational and business networks that use these unprotected networks. (f) Abuse of access privileges by employees: The security policy of the company authorizes employees based on their job responsibilities to access and execute select functions in critical applications. (g) Natural disasters: Natural disasters such as earthquakes, lighting, floods, tornado, tsunami, etc. (h) Theft or destruction of computing resources: Since the computing equipment forms the back-bone of information processing (i) Downtime due to technology failure: IS facilities may become unavailable due to technical glitches or equipment failure and hence the computing infrastructure may not be available for short or extended periods of time. (j) Fire, etc.: Fire due to electric short circuit or due to riots, war or such other reasons can cause irreversible damage to the IS infrastructure.

20

THREATS DUE TO CYBER CRIMES • Embezzlement: It is unlawful misappropriation of money or other things of value, by the person to whom it was entrusted for his/her own use or purpose. • Fraud: It occurs on account of intentional misrepresentation of information or identity to deceive others • Theft of proprietary information: It is the illegal obtaining of designs, plans, blueprints, codes, computer programs, formulas, recipes, trade secrets, graphics, copyrighted material, data, forms, files, lists, and personal or financial information, usually by electronic copying. • Denial of service: There can be disruption or degradation of service that is dependent on external infrastructure. • Vandalism or sabotage: It is the deliberate or malicious, damage, defacement, destruction or other alteration of electronic files, data, web pages, and programs. • Computer virus: Viruses are hidden fragments of computer code which propagates by inserting itself into or modifying other programs. • Other: Threat includes several other cases such as intrusions, breaches and compromises of the respondent's computer networks regardless of whether damage or loss were sustained as a result. 5.4 RISK ASSESSMENT A risk assessment can provide an effective approach that will serve as the foundation for avoiding of disasters. Through risk analysis, it is possible to identify, assess, and then mitigate the risk. 5.4.1 Risk assessment is a critical step in disaster and business continuity planning. Risk assessment is necessary for developing a well tested contingency plan. (a) Prioritization: All applications are inventoried and critical ones identified. Each of the critical applications is reviewed to assess its impact on the organization. (b) Identifying critical applications: Analysis is done to determine specific jobs in the applications which may be more critical based on its present value; future changes should not be ignored. (c) Assessing their impact on the organization: The areas to be considered include: • Legal liabilities. • Interruptions of customer services. • Possible losses. • Likelihood of fraud and recovery procedures. (d) Determining recovery time-frame: Critical recovery time period is the period of time in which business processing must be resumed before the organization incurs severe losses. (e) Assess Insurance coverage: The information system insurance policy should be a multiperil policy, designed to provide various types of coverage. (f) Identification of exposures and implications: It is not possible to accurately predict as to when and how a disaster would occur.

21

(g) Development of recovery plan: The plan should be designed to provide for recovery from total destruction of a site. RISK MANAGEMENT: Systematic risks are unavoidable risks - these are constant across majority of technologies and applications. Unsystematic risks are those which are peculiar to the specific applications or technology. One of the major characteristics of these risks would be that they can be generally mitigated by using an advanced technology or system. Risk Management Process: The broad process of risk management will be as follows:

1. Identify the technology related risks under the gamut of operational risks. 2. Assess the identified risks in terms of probability and exposure. 3. Classify the risks as systematic and unsystematic. 4. Look out for technological solutions available to mitigate unsystematic risks. 5. Evaluate the technology risk premium on the available solutions

The Risk Management Cycle: It is a process involving the following steps: identifying assets, vulnerabilities and threats; assessing the risks; developing a risk management plan; implementing risk management actions, and re-evaluating the risks. These steps are categorized into three primary functions (i) Risk Identification, (ii) Risk Assessment and (iii) Risk Mitigation. Risk assessment is the process of analyzing and measuring risk and it helps a manager identify and quantify risks to the system.

22

Risk mitigation involves the implementation of measures designed to reduce or eliminate some or all of those identified risks. Techniques for Risk Evaluation: Following are some of the techniques that are available to assess and evaluate risks.مهم

• Judgement and intuition • The Delphi approach • Scoring • Quantitative Techniques (a) In many situations the auditors have to use their judgement and intuition for risk assessment. (b) The Delphi Technique was first used by the Rand Corporation for obtaining a consensus opinion. Here a panel of experts is appointed. Each expert gives his opinion in a written and independent manner. (c) In the Scoring approach the risks in the system and their respective exposures are listed. Weights are then assigned to the risk and to the exposures depending on the severity, impact on occurrence, and costs involved. (d) Quantitative techniques involve the calculating an annual loss exposure value based on the probability of the event and the exposure in terms of estimated costs. RISK MITIGATION:A causal understanding is essential to take appropriate action to control and manage risks because causality is a basis for both action and prediction. Common risk mitigation (alleviation/lessening) techniques: Some of the common risk mitigation techniques are as under:

1. Insurance: An organization may buy insurance to mitigate such risk. Under the scheme of the insurance, the loss is transferred from the insured entity to the insurance company in exchange of a premium.

2. 2. Outsourcing: One must make careful assessment of whether such outsourcing is transferring the risk or is merely transferring the management process.

3. 3. Service Level Agreements: The service agreement with the customers and users may clearly exclude or limit responsibility of the organization for any loss suffered by the customer and user consequent to the technological failure

23

Ch6

IS AUDIT STANDARDS IS an audit standard provide audit professionals a clear idea of the minimum level of acceptable performance essential to discharge their responsibilities effectively. Some of the standards are as follows: maybe choose Year Standards 1994 COSO, CoCo 1996 HIPAA 1998 BS 7799 2000 COBIT

AAS 29 – AUDITING AND ASSURANCE STANDARD ON AUDITING IN A COMPUTER INFORMATION SYSTEMS ENVIRONMENT The risks and caution that an auditor should exercise while carrying out traditional following: The auditor’s responsibility in gaining sufficient understanding and assurance on the adequacy of accounting and internal controls that protects against the inherent and control risks in a CIS and the resulting considerations to be taken while designing audit procedures. Write short note about BS 7799 Is an International Standard setting out the requirements for an Information Security Management System. From the outset, BS7799 focused on protecting the availability, confidentiality and integrity of organizational information and this remains, today, the driving objective of the standard. ISO 27001 –(BS7799: Part II) – Information Security Management Standard An organization must take a clear view on these issues before trying to implement an Information Security Management Systems (ISMS). General: Organization shall establish and maintain documented ISMS addressing assets to be protected, organizations approach to risk management, control objectives and control, and degree of assurance required. Areas of focus of ISMS: There are ten areas of focus of ISMS. These are described in the following paragraphs: 1. Security Policy: This activity involves a thorough understanding of the

organization business goals and its dependence on information security. The policy should cover: • A definition of information security • A statement of management intention supporting the goals and principles of information security • Allocation of responsibilities for every aspect of implementation • An explanation of specific applicable proprietary and general, principles, standards and compliance requirements.

24

2. Organizational Security: A management framework needs to be established to initiate, implement and control information security within the organization.

3. Asset Classification and Control: One of the most laborious but essential task is to manage inventory of all the IT assets, which could be information assets, software assets, physical assets or other similar services.

An Information Asset Register (IAR) should be created. Detailing every information asset within the organization. For example: • Databases • Personnel records • Scale models • Prototypes 4. Personnel Security: Appropriate personnel security ensures that: • Employment contracts and staff handbooks have agreed, clear wording • Ancillary workers (a person whose work provides necessary support to the primary activities), temporary staff, contractors and third parties are covered • Anyone else with legitimate access to business information or systems is covered It must deal with rights as well as responsibilities, for example: • Access to personal files under the Data Protection Act • Proper use of equipment as covered by the Computer Misuse Act (In India that would be Information Technology Act 2000) 5. Physical and Environmental Security: Designing a secure physical environment

to prevent unauthorized access, damage and interference to business premises and information is usually the beginning point of any security plan.

6. Communications and Operations Management: Properly documented procedures for the management and operation of all information processing facilities should be established. Controls should be applied to protect electronic commerce from such threats.

7. Access Control: Access to information and business processes should be controlled on the business and security requirements.

8. Systems Development and Maintenance: Security requirements should be identified and agreed prior to the development of information systems.

9. Business Continuity Management: A business continuity management process should be designed, implemented and periodically tested to reduce the disruption caused by disasters and security failures.

10. Compliance: It is essential that strict adherence is observed to the provision of national and international IT laws, pertaining to Intellectual Property Rights (IPR), software copyrights.

25

COBIT (CONTROL OBJECTIVES FOR INFORMATION RELATED TECHNOLOGY) – IT Governance Model (important def and models) COBIT combines the principles embedded in existing and known reference models: ♦ Quality Requirements: Quality, Cost, Delivery ♦ Fiduciary (trust) requirements - Effectiveness and Efficiency of operations, Reliability of Information, Compliance with laws and regulations ♦ Security Requirements – Confidentiality, Integrity, Availability Quality: The usability aspect of Quality is covered by the Effectiveness criterion. The Delivery aspect of Quality was considered to overlap with the Availability aspect of the Security requirements and also to some extent Effectiveness and Efficiency. Requirements, COBIT identified Confidentiality, Integrity, and Availability as the key elements—these same three elements, it was found, are used worldwide in describing IT security requirements. Framework: The COBIT Framework consists of high-level control objectives and an overall structure for their classification. Their natural grouping is often confirmed as responsibility domains in an organizational structure and is in line with the management cycle or life cycle applicable to IT processes. Domain of COBIT: Four broad domains are identified: planning and organization, acquisition and implementation, delivery and support, and monitoring. Planning and Organization - This domain covers strategy and tactics, and concerns the identification of the way IT can best contribute to the achievement of the business objectives. Acquisition and Implementation - To realize the IT strategy, IT solutions need to be identified, developed or acquired, as well as implemented and integrated into the business process. Delivery and Support - This domain is concerned with the actual delivery of required services, which range from traditional operations over security and continuity aspects to training. Monitoring - All IT processes need to be regularly assessed over time for their quality and compliance with control requirements. COBIT and Other Standards: COBIT and ISO/IEC 17799:2005: The two international standards used today are COBIT and ISO/IEC 17799:2005. COBIT was released and used primarily by the IT community. ISO/IEC 17799:2005 is also an international standard and is best practice for implementing security management. . COSO Internal Control Integrated Framework states that internal control is a process established by an entity’s board of directors, management, and other personnel designed to provide reasonable assurance regarding the achievement of stated objectives

26

Ch7 SYSTEM SECURITY: Security relates to the protection of valuable assets against loss, disclosure, or damage (important)

Confidentiality: Prevention of the unauthorized disclosure of information.

Integrity: Prevention of the unauthorized modification of information.

Availability: Prevention of the unauthorized withholding of information. What Information is Sensitive? The common thing thread in each case is the critical information that each generates. Strategic Plans: Most organizations readily acknowledge that strategic plans are crucial to the success of a company. But most of the companies fail to really make an effort to protect these plans. Business Operations: Business operations consist of an organization’s process and procedures, most of which are deemed to be proprietary. As such, they may provide a market advantage to the organization. Finances: Financial information, such as salaries and wages, are very sensitive and should not be made public. While general salary ranges are known within industry sectors, precise salary information can provide a competitive edge. PROTECTING COMPUTER-HELD INFORMATION SYSTEMS: We need to define a few basic ground rules that must be addressed sequentially: Rule #1 : We need to know that ‘what the information systems are’ and ‘where these are located’ Rule #2 : We need know the value of the information held and how difficult it would be to recreate if it were damaged or lost. Rule #3: We need to know that ‘who is authorized to access the information’ and ‘what they are permitted to do with the information’. Rule #4: We need to know that ‘how quickly information needs to be made available should and it became unavailable for whatever reason (loss, unauthorized modification, etc.) Holistic Protection: Protecting corporate information systems from harm or loss is not an easy task. Protection must be done holistically and give the organization the appropriate level of security at a cost that is acceptable to the business.

27

TYPES OF INFORMATION SECURITY POLICIES AND THEIR HIERARCHY: Major Information Security Policies are given as follows:

• Information Security Policy: This policy provides a definition of Information Security, its overall objective and the importance applies to all users.

• User Security Policy: This policy sets out the responsibilities and requirements for all IT system users.

• Acceptable Usage Policy: This sets out the policy for acceptable use of email and Internet services.

• Organizational Information Security Policy: This policy (the one you are reading) sets out the Group policy for the security of its information assets and the Information Technology (IT) systems processing this information.

• Network & System Security Policy: This policy sets out detailed policy for system and network security and applies to IT department users.

• Information Classification Policy : This policy sets out the policy for the classification of information

• Conditions of Connection: This policy sets out the Group policy for connecting to their network.

Components of the Security Policy: A good security policy should clearly state the following:

• The Security Infrastructure, • Security organization Structure, • Inventory and Classification of assets, • Description of technologies and computing structure, • Physical and Environmental Security, • Identity Management and access control, • IT Operations management, • IT Communications, • System Development and Maintenance Controls, • Business Continuity Planning, • Legal Compliances, • Monitoring and Auditing Requirements, and • Underlying Technical Policy.

28

Classification and Security Classification Following are the major points for these classifications:

An inventory of assets must be maintained. This must include physical, software and information assets.

A formal, documented classification scheme (as set out in the Information Classification Policy) should be in place and all staff must comply with it.

The originator or 'owner' of an item of information (e.g. a document, file, diskette, printed report, screen display, e-mail, etc.) should provide a security classification, where appropriate.

The handling of information, which is protectively marked CONFIDENTIAL or above must be specifically approved (i.e. above RESTRICTED).

Exchanges of data and software between organizations must be controlled. Organizations to whom information is to be sent must be informed of the protective marking associated with that information, in order to establish that it will be handled by personnel with a suitable clearance corresponding to the protective marking.

Appropriate procedures for information labeling and handling must be agreed and put into practice.

Classified waste must be disposed off appropriately and securely.